Because I said so? Why policies exist

Kim Stahl (MSIS ’97), who works in the ITS Policy Office, provides this guest post for National Cyber Security Awareness Month. She is available to talk about policies, and routinely rewards people who bring her policy issues to address. Contact her at its_policy@unc.edu with any IT policy ideas, questions or feedback.

People often say “we have to do this because it’s in the Policy.” But when I hear that, it sounds like failure. Whoever wrote that policy didn’t spell out the most important thing: WHY.

The reason is “Because it is important”

Policies exist because we have something important to do, and people needed to agree on what that important thing is. Where are the lines between what is OK and what is not OK? But the reason is never “because I said so in this document.” Whether or not it’s obvious from reading the document, the reason is always “because it is important.” Whether it’s reducing energy use, preventing conflicts of interest, keeping drones from disrupting the campus, or making sure that our personal information stays safe, policies tell us what some of our responsibilities are as members of the Carolina community.

Sometimes we have policies because a regulation tells us we have to (we have health information, Social Security numbers, and other data that we must protect because it’s important, but we have to do it in specific ways because regulations spell out those ways). Other policies are developed to address specific situations that arise and we need to get everyone on the same page (pun intended) when those situations come up again.

Differences between policies, standards and procedures

At UNC-Chapel Hill, we separate out our policies from standards and procedures. The documents all set out things we must do or not do as members of the Carolina community, and regardless of who we are and how we relate to the University, those things are required.

Policy documents are meant to tell us the “big picture.” Policies tell us why something matters and describe the boundaries. So if you look at policies on information security topics, you can see that we described what “vulnerability management” means, and that passwords are important, and that information security is everyone’s responsibility, that when we send sensitive information from place to place that how we do it matters. We have a policy that sets the bounds of acceptable use of technology to make those boundaries clearer, especially for people who may not have used technology before as part of an organization. Once we understand the landscape of an important issue, we then need more details.

Standards tell us in greater detail what our minimum expectations are. When we’re sending sensitive information, it needs to be encrypted, and our standard describes the minimum encryption strength required. A password standard will tell us the fewest number of characters we can use, but it’s better to go above and beyond. You can always do more than is required, but a standard gives us a minimum.

Procedures are step-by-step. If you want to report a security incident, there are very specific ways to do that. When everyone needs to do something exactly the same way, we use a procedure.

Everyone is responsible for information security

But you may have noticed that not everything we do is covered by a policy, a standard or a procedure. Life isn’t like that. Some things require a policy, and others don’t. “Where is it in a policy?” is the flip side of “we have to because the policy says so.” We don’t do things because policies tell us to, and we don’t not do things because there isn’t a policy about it. As a mom might say “would you jump off a bridge because there isn’t a policy telling you not to?” Security is like that. We try to give good guidance about important topics, but security responsibility is really on each individual. We do it because we care about our own or other people’s information. Whether that’s research data with people’s information that was entrusted to us, or office managers who have forms with people’s Social Security numbers, or your own Onyen that gives you access to your transcript and all of your financial information.

How the Information Security Office helps

The Information Security Office (ISO) tries to help by publishing policies, standards and procedures to tell people about key issues, but it’s on each of us to protect the information that our computers and phones can access. To keep our passwords to ourselves. To think about the data we’re entrusted with and play on the same team with every other Tar Heel to keep it safe. The ISO puts out a lot of information about how to do that. Help documents, web pages, emails, posters, events — all of those things feed into our understanding and build our common sense into expertise.

Seeing the policies as “we have to because it says so” makes it a game to find things the policies don’t say. The reasons for the documents should be the thing to keep in mind, and then you can participate by giving more feedback. “Hey, the policy says X, but have you considered Y? That seems even more important!”